Date: Saturday, July 18, 2026
Audience: Server, identity, network, cloud, SOC, OT/ICS, incident-response, and defense-sector administrators
Estimated reading time: 18 minutes

BCG_Server_Security_Feed_2026-07-18.md

Executive Admin Summary


Three issues require immediate defensive action:

  • CISA expanded the actively exploited Microsoft SharePoint cluster on July 16 by adding CVE-2026-58644 to its Known Exploited Vulnerabilities catalog. On-premises SharePoint operators should patch, hunt for IIS machine-key theft and other persistence, and rotate machine keys only after the environment is clean.
  • CISA added two unauthenticated FortiSandbox command-injection vulnerabilities—CVE-2026-25089 and CVE-2026-39808—with a July 19 federal deadline. Because FortiSandbox is a privileged security and integration hub, exposed appliances require compromise assessment, not merely an upgrade.
  • A multinational advisory attributes continuing exploitation of routers in communications, defense, energy, government, and healthcare networks to Russian FSB Center 16.

The safety-first order of operations is: contain exposed control planes; preserve evidence; patch or replace affected systems; hunt for pre-patch access; then rotate credentials, keys, and trust material after persistence has been removed.

Do not make emergency controller or safety-system changes without a verified safe state, rollback plan, and operational authorization.

Immediate Action Required


On-premises SharePoint: expanded exploitation cluster and machine-key theft

Priority: Critical

Intelligence Update: CISA added CVE-2026-58644 to KEV on July 16, with a July 19 remediation deadline for covered federal systems. Microsoft currently describes it as remote code execution through unsafe deserialization by an attacker authenticated with at least Site Owner privileges.

That prerequisite must not be used to lower priority. CISA’s active-exploitation alert covers a broader SharePoint cluster that includes CVE-2026-32201, CVE-2026-45659, and the unauthenticated CVE-2026-56164. CISA reports IIS machine-key theft, deserialization-based persistence, and malware deployment. SharePoint Online is not affected by these on-premises-server vulnerabilities.

Assessment: Stolen machine keys may allow an intruder to forge trusted application state and recover access after superficial cleanup. In defense, government, energy, research, and supplier environments, SharePoint frequently contains engineering information, operational plans, procurement records, credentials, and partner data. Treat an internet-exposed vulnerable server as a potential incident even after patching. Public sources have not attributed the activity to a specific actor.

Operational Impact: Server-level code execution, persistent application-layer access, sensitive-data theft, credential exposure, and lateral movement. Rotating keys before removing the attacker may simply expose the replacement keys.

Operational Notes:

  • Inventory every on-premises SharePoint 2016, 2019, and Subscription Edition farm, including test, recovery, and intermittently connected nodes.
  • Apply the latest July cumulative security update to every farm server and verify the installed build.
  • Current July rollup targets are 16.0.5561.1001 for SharePoint 2016, 16.0.10417.20175 for SharePoint 2019, and 16.0.19725.20434 for Subscription Edition.
  • Enable and verify Antimalware Scan Interface integration for every SharePoint web application.
  • Restrict direct internet exposure and tightly limit Central Administration access.
  • Before rotating IIS machine keys, preserve logs and images where practical. Hunt for web shells, key-harvesting tools, unexpected assemblies, tasks, services, accounts, and outbound connections.
  • Remove persistence first, then rotate machine keys across the farm during a coordinated maintenance window.
  • Review privileged accounts and Site Owner assignments. Revoke exposed credentials and service secrets from a clean administrative host.
  • If the evidence is incomplete, isolate the farm behind a controlled access path and engage incident response. Do not close the incident solely because the build number is current.

Assessment Confidence: High. Exploitation and remediation are confirmed by CISA and Microsoft; actor attribution and victim scope remain undisclosed.

Sources:
CISA, “CISA Urges SharePoint Hardening After New Exploitations,” updated July 16, 2026
CISA, “CISA Adds Three Known Exploited Vulnerabilities to Catalog,” July 16, 2026
Microsoft Security Response Center, “CVE-2026-58644 Microsoft SharePoint Remote Code Execution Vulnerability”
Microsoft, “July 2026 SharePoint Server security updates”
Tenable Research Special Operations, “Frequently Asked Questions About Active Exploitation of Microsoft SharePoint Server Vulnerabilities”

FortiSandbox: two unauthenticated command-injection flaws in KEV

Priority: Critical

Intelligence Update: CISA added CVE-2026-25089 and CVE-2026-39808 to KEV on July 16, with a July 19 federal remediation deadline. Fortinet describes both as OS command-injection vulnerabilities reachable through crafted HTTP requests without authentication.

CVE-2026-39808 affects FortiSandbox 4.4.0 through 4.4.8 and is fixed in 4.4.9. The 5.0 branch is not affected by that vulnerability.

CVE-2026-25089 affects:

  • FortiSandbox 4.4.0–4.4.8; fixed in 4.4.9.
  • FortiSandbox 5.0.0–5.0.5; fixed in 5.0.6.
  • FortiSandbox Cloud and PaaS 5.0.4–5.0.5; fixed in 5.0.6.

A public proof of concept exists for CVE-2026-39808.

Assessment: FortiSandbox analyzes hostile content and may connect to firewalls, mail systems, SIEM platforms, storage, and automation tools. Compromise could blind detection, alter analysis, expose samples, steal integration credentials, or create a trusted pivot. CISA’s current KEV determination should take precedence over a lagging exploitation field on an older vendor page.

Operational Impact: Unauthenticated command execution on a privileged security appliance, with possible downstream exposure through administrative credentials, API tokens, orchestration integrations, and trusted network placement.

Operational Notes:

  • Upgrade supported 4.4 systems to at least 4.4.9 and 5.0 systems to at least 5.0.6.
  • Confirm Cloud and PaaS tenant versions with Fortinet.
  • Escalate unsupported branches for vendor-directed containment or replacement.
  • Remove public exposure. Restrict web, API, and management access to dedicated networks and authorized jump hosts.
  • Preserve appliance logs, configuration, snapshots, and upstream firewall or proxy telemetry before upgrading or rebuilding.
  • Hunt for unexpected command or process execution, new accounts, configuration changes, anomalous outbound connections, modified integrations, and inconsistencies in sandbox output.
  • If compromise is suspected, rebuild or redeploy from trusted media.
  • Rotate appliance, API, SIEM, firewall, mail, storage, and automation credentials from a clean host. Examine downstream systems for abuse of stolen trust.

Assessment Confidence: High. Active exploitation and deadlines are confirmed by CISA; affected and fixed releases are confirmed by Fortinet. Actor and victim details remain unreported.

Sources:
CISA, “CISA Adds Three Known Exploited Vulnerabilities to Catalog,” July 16, 2026
Fortinet PSIRT FG-IR-26-100, “OS Command Injection through API endpoint”
Fortinet PSIRT FG-IR-26-141, “Second-Order OS Command Injection via JSON Input on start vnc feature”
NIST National Vulnerability Database, CVE-2026-39808
NIST National Vulnerability Database, CVE-2026-25089

Russian FSB Center 16: ongoing router targeting in critical sectors

Priority: High

Intelligence Update: A July 13 multinational advisory attributes continuing exploitation of poorly configured and vulnerable routers to Russian FSB Center 16. The campaign is opportunistic and global.

The sectors identified as most at risk are communications, defense industrial base, energy, government facilities—particularly state and local government—healthcare and public health, and financial services.

The actors reportedly:

  • Scan for SNMP agents using default or common community strings.
  • Send spoofed SNMP Set requests instructing routers to copy configurations, often named config.bkp or output.txt, to actor-controlled infrastructure over TFTP or FTP.
  • Abuse Cisco Smart Install and web-management portals.
  • Exploit legacy vulnerabilities including CVE-2018-0171 and CVE-2008-4128.

Assessment: Router-configuration theft exposes topology, access-control lists, management endpoints, local credentials, VPN information, and trust relationships. That intelligence can support espionage, disruption, or later access during a military or political crisis. Scanning alone is not proof of compromise, but writable SNMPv1/v2 exposed to untrusted networks warrants an immediate hunt.

Operational Impact: Covert collection, traffic redirection, persistence outside endpoint visibility, and access to operational or mission networks. In hospitals, utilities, defense suppliers, and emergency services, disruption or misrouting can create direct safety consequences.

Operational Notes:

  • Disable Cisco Smart Install unless an explicitly documented operational requirement exists.
  • Migrate to SNMPv3 with authentication and privacy using the newest supported encryption.
  • Disable SNMPv1/v2. Where temporary legacy use is unavoidable, replace default strings, make access read-only, and tightly restrict source addresses.
  • Alert on inbound SNMP Set requests and configuration-copy OIDs, especially 1.3.6.1.4.1.9.9.96.1.1 and 1.3.6.1.4.1.9.9.96.1.1.1.1.5.
  • Investigate TFTP or FTP transfers to unfamiliar external hosts.
  • Restrict management protocols to out-of-band systems.
  • At network boundaries, block UDP 69, TCP 4786, UDP 161/162, and TCP/UDP 10161/10162 unless mission-essential and tightly source-limited.
  • Use strong, unique device credentials and modern Cisco password storage such as Type 8. Eliminate Types 0, 4, and 7.
  • Review unexpected local-account logins and configuration changes.
  • Update supported firmware and replace end-of-life routers.
  • If configuration theft is suspected, preserve device and flow logs, compare running and startup configurations, rotate exposed credentials, and inspect connected trust paths.

Assessment Confidence: High. Attribution, target sectors, techniques, and mitigations are jointly assessed by multiple national cyber and intelligence agencies.

Sources:
NSA, CISA, FBI, DC3, and international partners, Joint Cybersecurity Advisory AA26-194A, “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting”
NSA, “Reducing the Risk of Simple Network Management Protocol (SNMP) Abuse”
NSA, “NSA and Partners Release Guidance on Improving Router Hygiene to Protect Against Russian State-Sponsored Targeting”
FBI, “Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure”

Patch / Upgrade Watch


SonicWall SMA1000: KEV deadline has passed

Priority: High

Intelligence Update: CVE-2026-15409, an unauthenticated SSRF rated CVSS 10.0, and CVE-2026-15410, authenticated administrative code injection rated 7.2, were exploited as a chain against SMA1000 appliances. CISA’s July 17 deadline has passed. SonicWall reports multiple exploitation cases.

Operational Notes:

  • For SMA1000 6210, 7210, and 8200v appliances, move affected 12.4.3 builds to 12.4.3-03453 or later.
  • Move affected 12.5.0 builds to 12.5.0-02835 or later.
  • Preserve logs before changes, remove internet-facing management, and review access, routing, configuration, and authentication anomalies covering the entire vulnerable period.
  • Reimage hardware or redeploy virtual appliances when compromise is suspected.
  • Revoke and rotate administrative, directory, VPN, certificate, and integration credentials after containment.

Assessment Confidence: High.

Sources:
SonicWall PSIRT SNWLID-2026-0008
CISA, “CISA Adds Four Known Exploited Vulnerabilities to Catalog,” July 14, 2026
Rapid7, “Rapid7 MDR Team Discovers New SonicWall SMA1000 Zero Days Being Actively Exploited”

AD FS CVE-2026-56155: exploited identity-trust vulnerability

Priority: High

Intelligence Update: Microsoft reports exploitation of CVE-2026-56155, an AD FS Distributed Key Manager container access-control weakness rated CVSS 7.8. This is a local, low-privilege escalation issue—not an unauthenticated remote-entry vulnerability. The DKM container protects material associated with AD FS token-signing and token-decrypting certificate keys.

Operational Notes:

  • Install the July update across every AD FS node and verify consistent hardening.
  • Review DKM object permissions and Microsoft’s hardening events 1132 through 1136.
  • Investigate unexpected DKM access by non-administrative principals.
  • Do not rotate token-signing or decrypting material reflexively.
  • If compromise is suspected, coordinate key replacement with relying parties, Microsoft Entra integration, and incident response to avoid an authentication outage.

Assessment Confidence: High for the vulnerability and exploitation status; Moderate for environment-specific trust impact until DKM access and token activity are examined.

Sources:
Microsoft Security Response Center, “CVE-2026-56155 Windows Active Directory Federation Services Elevation of Privilege Vulnerability”
Microsoft Support KB5121391, “CVE-2026-56155: AD FS DKM container ACL hardening”
NIST National Vulnerability Database, CVE-2026-56155

July 16 OT advisories: controller and power-automation availability

Priority: High in safety- or mission-critical deployments; otherwise Medium under planned change control

Intelligence Update: CISA released nine ICS advisories on July 16. The highest-consequence items include three Rockwell controller vulnerabilities—CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698—rated up to CVSS 8.6. They can force major non-recoverable faults or denial of service in affected CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix families.

A separate crafted-CIP-message vulnerability affects Rockwell 1756-EN2, EN3, and ENBT communications modules. Supported EN2/EN3 branches have 12.002 fixes. Discontinued ENBT hardware requires segmentation and replacement planning.

Siemens also published fixes for multiple SICAM 8 power-automation weaknesses with possible denial-of-service, security-policy-bypass, code-execution, or privilege-escalation consequences. CISA reported no known public exploitation in these advisories at publication.

Operational Notes:

  • Map exact catalog numbers and firmware against CISA and vendor matrices. Do not infer safety from a product-family name alone.
  • Test updates with representative logic, communications, redundancy, and failover.
  • Establish a verified safe process state and recovery path before controller or power-automation changes.
  • Until patched, isolate engineering and controller networks and restrict CIP and administrative traffic to authorized stations.
  • Monitor for unexpected controller faults, mode changes, firmware operations, or engineering-session access.
  • Replace discontinued modules that have no fix. Compensating controls reduce exposure but do not remove the vulnerability.

Assessment Confidence: High for the affected classes and consequences. Operational severity depends on network reachability, exact firmware, and process design.

Sources:
CISA ICSA-26-197-06, “Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix”
CISA ICSA-26-197-02, “Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT”
CISA ICSA-26-197-05, “Siemens SICAM 8”
Rockwell Automation product security advisories corresponding to the July 16 CISA releases
Siemens ProductCERT SSA-229470

Oracle EBS Payments and KNX building automation: deadline today

Priority: High where deployed

Intelligence Update: CISA added Oracle E-Business Suite Payments CVE-2026-46817 and KNX CVE-2023-4346 to KEV on July 15, with a July 18 federal deadline.

The Oracle vulnerability is an unauthenticated network flaw in EBS Payments 12.2.3 through 12.2.15, rated CVSS 9.8. The KNX authorization-key weakness has physical-security implications because KNX is used for building automation and facility control.

Operational Notes:

  • Apply the relevant Oracle May 2026 CPU remediation, restrict HTTP exposure, and review access and application logs for pre-patch exploitation.
  • Inventory exposed KNX interfaces and gateways, apply manufacturer remediation, replace default or exposed authorization material, and segment building-control networks.
  • In hospitals, laboratories, secure facilities, chemical sites, and weapons-related facilities, coordinate KNX changes with facilities and physical-security teams to preserve ventilation, access control, alarms, and life-safety functions.

Assessment Confidence: High for active exploitation and the deadline. Device-specific KNX remediation must be confirmed with the applicable manufacturer.

Sources:
CISA, “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” July 15, 2026
Oracle, May 2026 Critical Patch Update documentation for CVE-2026-46817
NIST National Vulnerability Database, CVE-2026-46817
NIST National Vulnerability Database, CVE-2023-4346

Detection / Monitoring Watch


AsyncAPI npm supply-chain compromise: import-time Miasma RAT

Priority: High for build, platform-engineering, and defense-supplier environments

Intelligence Update: On July 14, attackers published five malicious AsyncAPI package versions:

  • @asyncapi/specs 6.11.2-alpha.1 and 6.11.2
  • @asyncapi/generator 3.3.1
  • @asyncapi/generator-components 0.7.1
  • @asyncapi/generator-helpers 1.1.1

The payload executes when a package is imported or required. Therefore, npm install --ignore-scripts is not an effective defense.

The compromise began with an unsafe pull_request_target GitHub Actions workflow that exposed a privileged bot token. Legitimate OIDC release automation subsequently produced malicious packages with valid provenance attestations. The packages were unpublished on July 14, but existing lockfiles, caches, runners, containers, and installed dependencies may retain them.

Operational Notes:

  • Search lockfiles, SBOMs, images, artifacts, dependency caches, and runner inventories for the exact malicious versions.
  • Known earlier clean versions are specs 6.11.1, generator 3.3.0, generator-components 0.7.0, and generator-helpers 1.1.0.
  • Hunt for sync.js under %LOCALAPPDATA%\NodeJS on Windows, ~/Library/Application Support/NodeJS on macOS, and ~/.local/share/NodeJS on Linux.
  • Block and investigate connections to 85.137.53[.]71 on ports 8080, 8081, and 8091.
  • Check Linux for miasma-monitor.service, Windows for an HKCU Run persistence entry named miasma-monitor, and macOS for shell-startup modification.
  • Purge dependency caches and rebuild affected workstations, runners, images, and artifacts from trusted inputs.
  • If an affected package was imported, rotate GitHub, npm, cloud, Kubernetes, registry, SSH, signing, and deployment secrets accessible to that execution context.
  • Audit workflows using pull_request_target, particularly any that check out or execute pull-request-controlled code.
  • Treat package provenance as evidence of the publishing workflow—not proof that the source commit was authorized.

Assessment Confidence: High. Package versions, delivery path, payload behavior, and indicators are independently documented by multiple research teams and Microsoft.

Sources:
Microsoft Security, “Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery”
Socket, “Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader”
StepSecurity, “Coordinated AsyncAPI Supply Chain Attack: Miasma RAT Delivered via Compromised CI/CD Pipelines in Two Repositories”

Control-plane compromise review

Priority: High

Operational Notes:

  • Correlate pre-patch access across SharePoint, FortiSandbox, SonicWall SMA1000, AD FS, routers, identity providers, firewalls, proxies, EDR, DNS, and flow telemetry.
  • Preserve evidence before rebooting, upgrading, or rotating keys.
  • Document clock skew and time zones so appliance events can be correlated accurately.
  • Hunt for new local or service accounts, unauthorized configuration exports, altered routes or trust settings, abnormal child processes, unexpected outbound sessions, disabled logging, and telemetry gaps.
  • Rotate secrets only from clean systems and after persistence removal.
  • Validate every downstream consumer of a rotated certificate, key, API token, or federation trust to prevent self-inflicted outages.
  • In critical infrastructure and military-support networks, establish manual or degraded-mode operating procedures before isolating a control plane.

Assessment Confidence: High as defensive guidance; specific indicators and scope are environment-dependent.

Lower-Priority Server-Risk Notes


NASA Core Flight System Health and Safety application

CISA’s July 16 advisory recommends updating the NASA Core Flight System Health and Safety application to version 7.0.1. No public exploitation was reported.

This is specialized, but aerospace, space, defense-research, simulator, and mission-system operators should inspect forks and embedded copies rather than relying only on package names.

Source: CISA ICSA-26-197-03, “NASA Core Flight System Health and Safety Application.”

Public proof of concept does not equal confirmed exploitation

Several newly disclosed vulnerabilities have public technical details or proof-of-concept code. This feed promotes issues to Immediate Action only where exploitation, direct exposure, or sector consequence is supported.

Continue exposure reduction and vulnerability scanning, but do not displace confirmed SharePoint, FortiSandbox, router, SonicWall, AD FS, Oracle, or KNX work merely because a lower-impact PoC is receiving more attention.

Ransomware reporting without verified administrator action

Recent corporate ransomware incidents were reviewed but not elevated where public information does not identify a repeatable server vulnerability, validated defensive indicator, common supplier compromise, or safety-relevant action.

Reassess if victims disclose OT effects, stolen trust material, shared infrastructure, or a common intrusion path.

Admin Action Checklist


Next 0–4 hours

  • Identify internet-exposed SharePoint, FortiSandbox, SonicWall SMA1000, and network-management interfaces; restrict or isolate them.
  • Confirm SharePoint July builds and FortiSandbox fixed releases.
  • Treat vulnerable exposed instances as possible incidents.
  • Preserve logs and appliance evidence before upgrades, reboots, or key rotation.
  • Disable Cisco Smart Install and public SNMP management.
  • Alert on SNMP configuration-copy behavior and external TFTP or FTP transfers.
  • Search build infrastructure and dependency inventories for the malicious AsyncAPI versions.

Next 4–24 hours

  • Complete SharePoint artifact hunting, then rotate IIS machine keys after persistence removal.
  • Upgrade FortiSandbox and rotate connected secrets if compromise is plausible.
  • Complete overdue SonicWall, Oracle EBS Payments, and KNX remediation with pre-patch log review.
  • Patch all AD FS nodes and review DKM permissions and hardening events.
  • Block the AsyncAPI C2 indicator, purge caches, rebuild affected execution environments, and rotate reachable secrets.

Next 24–72 hours

  • Inventory end-of-life routers and SNMPv1/v2 dependencies; establish a funded replacement and migration plan.
  • Map Rockwell and Siemens OT assets to exact vendor matrices and schedule safety-governed updates.
  • Confirm that critical services can operate in manual or degraded mode.
  • Verify that backups include restorable configurations, certificates, and dependency documentation.
  • Review CI workflows for pull_request_target and other paths where untrusted code can reach privileged tokens or release automation.
  • Brief leadership on confirmed exposure, unresolved evidence gaps, expected service risk, and safety tradeoffs—not only patch percentages.

BCG Assessment


The dominant pattern is compromise of trusted control planes: collaboration servers, security appliances, routers, federation services, building automation, and software-release systems. These assets can give an attacker broader and quieter influence than a single endpoint.

The immediate objective is not simply to “patch everything fastest.” It is to prevent loss of operational control while preserving safety and evidence.

Organizations supporting defense, energy, healthcare, government, aerospace, chemical operations, secure facilities, or emergency communications should use a stricter threshold for containment. An exposed vulnerable control plane, unexplained configuration export, loss of security-appliance integrity, or stolen identity trust material should trigger incident response even when services appear normal.

Where emergency changes could endanger a physical process, establish a safe state first, isolate the access path, and execute remediation under authorized operational control.


Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.